Postcard from Europe: play nice with personal data or pay

Europe is making new rules on digital privacy, and if American companies don’t follow the new policy, they could pay billions.
 
It’s been said that a boat is a “hole in the water where you throw your money.” The same holds true for the Internet, a hole in the ether where you throw your information, without knowing exactly where it will go and who will have control of it.
 
That could change in Europe, under new data protection rules that may start next year.
 
“The reform will allow people to regain control of their personal data,” said a press release from the European Union.
 
“Two-thirds of Europeans (67%), according to a recent Eurobarometer survey, stated they are concerned about not having complete control over the information they provide online. Seven Europeans out of ten worry about the potential use that companies may make of the information disclosed,” the press release said.
 
The European Union said people in Europe will have easier access to their own data, a right to data portability, a clarified “right to be forgotten,” and the right to know when their data has been hacked, among other features of the proposed policy.
 
Play or pay
 
Companies outside of Europe would have to follow the same rules, or pay fines, if they have European customers.
 
“In future, firms breaching EU data protection rules could be fined as much as 4% of annual turnover – for global internet companies in particular, this could amount to billions,” said Jan Philipp Albrecht of the European Parliament.
 
For Facebook, it could mean fines of $500 million, for Alphabet—Google’s parent company—the fines could reach $2.4 billion, for Microsoft, $3.7 billion, and for Apple, $9.3 billion, reported USA Today.
 
Will it work?
 
A cybersecurity expert says fines may not result in total compliance.
 
“While I applaud the EU for taking a stronger stance on cybersecurity, legislation and regulation often have significant unintended consequences,” said Patrick C. Miller of Archer Security Group. “I’ve seen financial penalties make people do crazy things.”
 
Some companies are hesitant to change the way they do business, he said, in part because it costs money and the result may be uncertain. But that mindset can lead to problems.
 
“Sometimes companies will spend enormous amounts time and money trying to exploit the loopholes so they can avoid improving their security, as much or more than they would have spent on being more secure,” Miller said. “That time and money is not being spent on innovative ways to provide products and services in a more secure manner while maintaining a strong bottom line.”
 
“They’re thinking long-term for their business. They’re not thinking long-term for security,” he added.
 
The slow pace of legislation
 
There is another, possibly larger problem, said Miller.
 
“Hackers are faster than laws,” he said. “Technology—and the good or bad people who use it—will move at a faster pace than the laws designed to regulate it.”
 
Both lawmakers and European citizens may need to see the rules as one step along a long path, according to Miller.
 
“These legal efforts often result in a false sense of security by everyone in the mix,” he said.
 
Not all bad
 
The new rules could have positive effects as well.
 
For example, the focus on data breaches could raise the bar for security around the world, Miller said.
 
“Companies don’t like to talk about data breaches,” explained Miller. “It’s not considered good for business. Now, they will have to do the forensics, and look at exactly how it happened and how many people were affected.”
 
That will bring more information to the fore, to help good actors figure out how to keep ahead of the bad actors.
 
“I think it’s going to help everybody,” Miller said. “Consumers, companies, insurance companies, countries, everybody.”
 
Vote
 
The European Parliament as a whole will vote on the new rules in the spring of next year. Countries in the EU will then have two years to add the rules to their national laws.